SMOKEDHAM (Malware Family)

SMOKEDHAM

According to Mandiant, SMOKEDHAM is dropped through a powershell script that contains the (C#) source code for this backdoor, which is stored in an encrypted variable. The dropper dynamically defines a cmdlet and .NET class for the backdoor, meaning the compiled code is only found in memory.

References

2022-06-29 ⋅ Mandiant ⋅ Jared Wilson
Burrowing your way into VPNs, Proxies, and Tunnels
DarkSide SMOKEDHAM

2021-06-16 ⋅ FireEye ⋅ Jared Wilson, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM

2021-06-16 ⋅ Mandiant ⋅ Jared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean, Tyler McLellan
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike SMOKEDHAM

There is no Yara-Signature yet.

SMOKEDHAM Propose Change

References

SMOKEDHAM